BESCA Data Privacy Notice BESCA 


Organisation: BESCA 
Service: Schemes and Audit 


This privacy register tells you about the personal data BESCA and Associated Partners collect and the associated processing activities relevant 
to delivering this service. 


Our role in processing your data 
Data Controller — we have overall responsibility for your personal data. 


About the personal data we hold 

The main categories of personal data we process are as follows: 

° Title, Name, Email, Contact Details, Address, Company Name, Company Address 
. Financial Data, Direct Debit, Banking Details, Insurance Data, Qualifications Data 


Sensitive Personal Data 
The special categories of sensitive personal data that we hold about you are as follows: 
e N/A 


Why we are capturing your data 

We capture your data so we can undertake the following processing activity: 
e Scheme sign-up, registration, enrolment, audit 

e Application / Recommendation for Certification Forms 

e Document Archiving 

e Regulatory Activity 

e Regulatory Notifications and Reporting 


Automated decision making and profiling 
There isn’t any automated decision making or profiling undertaken within the scope of our processing activity. 


Our legal basis for processing your data 

We need a clear legal basis for capturing and processing your data. For this service this is: 

e Contractual — some of the services we provide is defined by a service agreement or contract. 

e Legal Obligation — some of the services we undertake because there is a legal obligation for us to do so. 


Other legitimate interests 

There is a legitimate interest in sharing your data within the BESA Group for the purposes of: 
e Utilising IT systems for processing activity 

e Utilising financial services for processing activity 

e For us to make you aware of related training courses 

e To undertake audit in line with scheme membership requirements 


Who we share your data with 

To deliver our service, your data may be shared with the following types of organisation. 
e Archiving Facilities 

e Legal Services (Solicitors & Lawyers) 


° Insurance Provider 
e Auditors 
° Industry regulatory bodies 


. Payment Processor 
e Website Register 
e Software System Suppliers 


Sending your data outside the EU / EEA 
Personal data is not transferred to a third-party outside of the European Union or European Economic Area. 


Our criteria for retaining your data 
The personal data will be retained for the necessary time required to deliver this service and in line with relevant legislation for data 
retention, but for a minimum of 6 years. 


Consequences of not giving us your data 

By not providing the required information, we may not be able to deliver required services, including audit. Data presented for audit to 
provide a clear and confident audit trail will be treated confidentially in line with the Privacy Notice, failure to present evidence required 
may affect scheme membership. 
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Your rights 
At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights: 
e Right of access 
You have the right to request a copy of the information that we hold about you. 
e Right of rectification 
You have a right to correct data that we hold about you that is inaccurate or incomplete. 
e Right to be forgotten 
In some circumstances you can ask for the data we hold about you to be erased from our records. 
e Right to restrict processing 
Where certain conditions apply to have a right to restrict the processing. 
e Right of portability 
You have the right to have the data we hold about you transferred to another organisation. 
e Right to object 
You have the right to object to certain types of processing such as direct marketing. 
e Right to object to automated processing, including profiling 
You also have the right to object to the legal effects of automated processing or profiling. 


Your consent 

By consenting to this privacy notice you are giving us permission to process your personal data for the purposes identified. Where we are 
asking you for sensitive personal data we will always tell you why and how the information will be used. You may withdraw consent at any 
time. 


If you have a complaint 

Should you wish to complain about how your data is being handled, in the first instance please contact the Data Protection Office specified 
below. If your complaint is not handled to your satisfaction, you also have the right to raise your concerns with the relevant supervisory 
authority. 


Details of the data controller 
GDPR Owner 

BESA Group 

Old Mansion House 

Eamont Bridge 

Penrith 

CA10 2BX 


The supervisory authority for data protection 


Supervisory Authority: Information Commissioner’s Officer (ICO) 
Website: http://ico.org.uk 
Telephone: 0303 1231113 
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